EDPB Turns Down German DPA On Binding Order; Asks DPC To Investigate Facebook and WhatsApp’s Data Processing
TSA issues new cybersecurity directive to pipelines; Senate FY 2022 NDAA advances; Australian regulator to look into online retail
Photo by Sylvia Szekely on Unsplash
The European Data Protection Board (EDPB) denied a request by The Hamburg Commissioner for Data protection and freedom of information (the Hamburg DPA or the DE-HH SA) to force Ireland’s Data Protection Commission (DPC) to take immediate steps against Facebook, WhatsApp, and Instagram because of WhatsApp’s proposed changes Privacy Policy and Terms of Service that proved controversial earlier this year. The EDPB ruled against the Hamburg DPA and will not order the DPC to act immediately against Facebook and WhatsApp on the grounds that it is not clear whether the companies’ data processing is illegal under the General Data Protection Regulation (GDPR). The EDPB instead asked the DPC to investigate Facebook and WhatsApp over their data processing and whether it comports with the GDPR. The Board took this step because it is not sure whether the DE-HH SA’s allegations about the companies’ data processing are true.
This is not the first time the DPC’s regulation of U.S. technology giants has been questioned, and this is not the only GDPR action Facebook is facing. Last year, the EDPB had to step in and settle a dispute between the DPC and other supervisory authorities over the proper punishment of Twitter for data breaches (see here for more detail and analysis.) Ultimately, the DPC was forced to revise upward its punishment of Twitter per the EDPB’s instructions.
Moreover, the DPC is already investigating Facebook regarding “multiple international media reports, which highlighted that a collated dataset of Facebook user personal data had been made available on the internet.” The DPC and Facebook have also faced off in Irish court over the ramifications of the Court of Justice for the European Union’s decision last summer that struck down the European Union-United States Privacy Shield adequacy decision. none of your business (noyb) had litigated against the DPC to force them to regulate Facebook in light of the general ban on transfers of personal data to the U.S. In exchange for settling the case, noyb claimed the DPC has agreed to move forward with enforcing the CJEU’s decision against Facebook’s data transfers. Subsequent action is expected.
Turning back to the dispute that led to the EDPB’s binding decision, in mid-December 2020, the DPC informed the other DPAs and supervisory authorities (SA) in the European Economic Area (EEA) that Facebook/WhatsApp would be changing the latter’s privacy policy and terms of service in the European Union (EU). Users of WhatsApp the world over were greeted with a screen indicating the company would be changing these policies, giving rise to fears that WhatsApp would start handing over the personal data of users to Facebook. In early January, the DE-HH SA pointed out the DPC had not provided its view on these changes, and the DPC thereafter shared information about meetings and materials Facebook/WhatsApp had provided. The DE-HH SA reiterated that the DPC still had not shared its views on the proposed changes and offered its concerns “regarding the data sharing of Facebook IE and WhatsApp IE for different purposes of each company.” The DE-HH SA also indicated it may use Article 66 of the GDPR for an urgency procedure.
After the exchange of further information between the DPC and DE-HH SA, in April., the latter asks the former “to conduct investigations into the specific processing of WhatsApp IE and Facebook.” Later that month, the DPC informed the EEA DPAs and SAs that “the Updated Terms are “[...] largely a carryover of the text of the existing policy and no new text signifying any change in WhatsApp’s position is included regarding the sharing of WhatsApp user data with Facebook or access by Facebook for Facebook’s own purposes.” The DPC also informed these agencies that “it commenced a supervision review and assessment of WhatsApp IE’s oversight and monitoring of its data processors (chiefly Facebook), including the safeguards, mechanisms and audit processes in place to ensure that Facebook IE does not use WhatsApp IE user data for its own purposes, inadvertently or otherwise.” In May the DE-HH SA proceeded its provisional measures against Facebook and WhatsApp and requested an urgent decision from the EDPB in June.
The EDPB further explained:
§ Following the notification by WhatsApp Ireland Ltd (hereinafter “WhatsApp IE”) to German users of its new Terms of Service and Privacy Policy, and the extension of the deadline for users to provide consent to 15 May 2021, the DE-HH SA came to the conclusion that Facebook Ireland Ltd (hereinafter “Facebook IE”) is already processing data of WhatsApp users residing in Germany for its own purposes in some cases, and that processing for its own purposes is imminent in other cases. The DE-HH SA considers that the processing of personal data of WhatsApp IE users residing in Germany by Facebook IE for the purposes of Facebook IE violates Article 5(1), Article 6(1) and Article 12(1) GDPR. Therefore the DE-HH SA adopted, on 10 May 2021, provisional measures under Article 66(1) GDPR, based on its consideration that the circumstances were exceptional and there was an urgent need to act to protect the rights and freedoms of data subjects.
§ Through its provisional measures, the DE-HH SA prohibited, for a duration of 3 months, Facebook IE from processing personal data of WhatsApp users residing in Germany, which is transmitted from WhatsApp IE to Facebook IE for the purposes of 1. Cooperation with other Facebook Companies; 2. Security and integrity of Facebook; 3. Improvement of the product experience; 4. Marketing communication and direct marketing; 5. WhatsApp Business API; to the extent that the processing is being carried out for Facebook IE's own purposes.
The EDPB explained the procedure under the GDPR the Hamburg DPA used to request an urgent decision:
§ Pursuant to Article 66(1) GDPR, in exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65 GDPR or the procedure referred to in Article 60 GDPR, immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months.
§ In accordance with Article 66(2) GDPR, where a supervisory authority has taken a measure pursuant to Article 66(1) GDPR and considers that final measures need urgently be adopted, it may request an urgent opinion or an urgent binding decision from the Board, giving reasons for requesting such opinion or decision. The request for an urgent opinion or urgent binding decision in the context of Article 66(2) and (3) GDPR is optional.
The EDPB summed up the DE-HH SA’s case:
§ According to the DE-HH SA, Facebook IE is already processing data of WhatsApp users for its own purposes or will imminently do so.
§ The DE-HH SA considers that Facebook IE has no legal basis for the processing of WhatsApp user data for its own purposes, hence it is unlawful due to the lack of effective consent of WhatsApp users within the meaning of Article 6(1)(a) and Article 7 GDPR, and of a legitimate interest within the meaning of Article 6(1)(f) GDPR.
§ The DE-HH SA considers that the consent requested by WhatsApp in its Terms of Service of 4 January 2021 does not meet the requirements of informed and free consent within the meaning of Article 6(1)(a) and Article 7 GDPR.
§ The DE-HH SA states that the Updated Terms are not understandable by users; they do not comply with the transparency requirements under Article 5(1)(a), Article 12(1) and Article 13(1)(c) and (e)) GDPR; the explanations on data exchange are partly contradictory and inconsistent, as well as largely undefined; the statements on data exchange are scattered in various documents at different levels and do not allow users to take note of them in a uniform manner. The DE-HH SA also explains why the transparency requirements are not fulfilled in relation to each of the specific purposes it identified (see hereinafter)
§ In addition, the DE-HH SA underlines that considering the market position of Facebook and WhatsApp, users do not have a choice to consent or not, as not using WhatsApp is not an acceptable alternative because of the wide use of such a closed messenger system. According to the DE-HH SA, it is not possible to continue the use of WhatsApp’s service on the basis of WhatsApp’s previously applicable terms and conditions.
§ The DE-HH SA states that Article 6(1)(b) GDPR is not relevant as the transfer of WhatsApp user data to by Facebook IE, and further processing by the latter for its own purpose, is not necessary for the performance of a contract concluded between WhatsApp IE and the data subjects or between Facebook IE and the data subjects. For those WhatsApp users who are not Facebook users, the DE-HH SA considers that there is already a lack of corresponding contractual relationship between Facebook IE and such concerned WhatsApp users.
§ The DE-HH SA notes that, should Facebook IE use Article 6(1)(f) GDPR as a ground for such processing, it would need to transparently inform users about this on the basis of Article 13(1)(c) GDPR. Moreover, according to the DE-HH SA, even for purposes for which a legitimate interest may exist, for example to prevent the sending of spam in the area of network security, Facebook’s legitimate interest does not outweigh the fundamental rights and freedoms of the users. The DE-HH SA underlines in particular the large amount of data processed, which cannot be justified by Facebook’s legitimate interests. The DE-HH SA also raises that there is a complete lack of necessity for the data sharing with Facebook IE of WhatsApp users that are not Facebook users.
§ Besides, the DE-HH SA underlined a violation of the transparency requirements under Article 5(1) GDPR and Article 12(1) GDPR. This is due to the large number of different documents that users need to read to understand what is done with their personal data; to the inadequate consideration of the fact that users usually access such information via their smartphones, which, from a technical perspective, makes it more difficult to comprehend; to the existence of two versions of Terms of Service (one for users within the EEA and one for users from the rest of the world); and to how easy it is for users in the EEA to confuse the public-facing information applicable to them and the information applicable to non-EEA users.
§ The DE-HH SA identified five processing purposes which it considers are already being carried out or could be carried out imminently by Facebook IE as a controller: 1) Security and integrity of Facebook; 2) Improvement of the product experience; 3) Marketing communication and direct marketing; 4) WhatsApp Business API; and 5) Cooperation with other Facebook Companies. These purposes are subject to the provisional measures ordered by the DE-HH SA and are further assessed hereinafter.
The Board concluded “it does not have sufficient information in the present procedure to conclude whether infringements are taking place” and thereafter denied the DE-HH SA’s request for an urgent binding decision. Nonetheless, the EDPB is asking the DPC to investigate Facebook and WhatsApp for the following:
§ Nonetheless, in the face of the various contradictions, ambiguities and uncertainties noted in WhatsApp’s user-facing information, the Commitments, and Facebook IE and WhatsApp IE’s respective written submissions, the EDPB is not in a position to determine with certainty which processing operations the other Facebook Companies, including Facebook IE, are actually carrying out in relation to WhatsApp’s user data and in which capacity.
§ Accordingly, the EDPB requests the LSA competent for Facebook IE and WhatsApp IE to carry out a statutory investigation to unveil whether Facebook IE has already started to process WhatsApp’s user data for the common purpose of safety, security and integrity of the Facebook Companies, and if so, whether it is acting as a processor on behalf of WhatsApp IE or as a (joint) controller with WhatsApp IE. In particular, to this respect the LSA should analyse the possible combination and/or comparison at individual level the personal data of WhatsApp users with the data of the Facebook Companies which enables the Facebook Companies to understand whether a particular person uses different services of the Facebook Companies, which serves their common purpose of the safety, security and integrity. The EDPB further requests the LSA to carry out a statutory investigation to assess whether Facebook IE has a legal basis to conduct such processing lawfully as a (joint) controller pursuant to Articles 5(1)(a) and 6(1) GDPR.
§ Whilst the EDPB considers that SAs enjoy a certain degree of discretion to decide how to frame the scope of their inquiries, the EDPB recalls that one of the main objectives of the GDPR is to ensure consistency throughout the EU, and the cooperation between the LSA and CSAs is one of the means to achieve this. Therefore, the EDPB calls upon the LSA to make full use of the cooperation tools provided for by the GDPR (including Articles 61 and 62 GDPR) while carrying out such investigation.
Other Developments
§ The Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) announced “the issuance of a second Security Directive that requires owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections against cyber intrusions.” DHS added:
o The Department’s Cybersecurity and Infrastructure Security Agency (CISA) advised TSA on cybersecurity threats to the pipeline industry, as well as technical countermeasures to prevent those threats, during the development of this second Security Directive. This Security Directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.
o This is the second Security Directive that TSA has issued to the pipeline sector this year, building upon an initial Security Directive that TSA issued in May 2021 following the ransomware attack on a major petroleum pipeline. The May 2021 Security Directive requires critical pipeline owners and operators to (1) report confirmed and potential cybersecurity incidents to CISA; (2) designate a Cybersecurity Coordinator to be available 24 hours a day, seven days a week; (3) review current practices; and, (4) identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.
§ The Senate Armed Services Committee completed its markup of its FY 2022 National Defense Authorization Act (NDAA) and issued a summary of the bill instead of actual text as has been customary. Their House counterparts are set to mark up their bill in early September. In the summary, the committee highlighted technology funding and programmatic provisions:
o The 61st annual NDAA supports a total of $777.9 billion in fiscal year 2022 funding for national defense. Within this topline, the legislation authorizes $740.3 billion for the Department of Defense (DOD) and $27.7 billion for national security programs within the Department of Energy (DOE). This legislation, like the President’s budget request, does not include a separate Overseas Contingency Operations (OCO) request – any war-related costs are included in the base budget.
o Strengthening DOD’s Cybersecurity Posture
§ Requires the development a joint zero trust strategy and a model architecture for the Department of Defense Information Network and a data management strategy.
§ Requires a program to demonstrate and assess an automated security validation capability to assist the Department in cybersecurity efforts.
§ Directs an assessment of the utility and cost-benefits of using capabilities to make risk-based vulnerability remediation decisions, identify key cyber terrain and assets, identify single-node mission dependencies, and monitor for changes in mission threat execution.
§ Authorizes an increase of $268.4 million across the DOD to support cybersecurity efforts.
o Enhancing CYBERCOM’s Authorities and Capabilities
§ Authorizes full funding for U.S. Cyber Command (CYBERCOM).
§ Assigns to the Commander, CYBERCOM, responsibility for directly controlling and
§ managing the planning, programming, budgeting, and execution of the resources to maintain the Cyber Mission Forces.
§ Requires the Commander, CYBERCOM, to establish a voluntary process for engaging with the commercial information technology and cybersecurity companies to develop methods of coordination to protect against foreign malicious cyber actors.
§ Encourages CYBERCOM Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DODIN) to explore further application of commercial off-the-shelf solutions across the command to address urgent intelligence and operations gaps.
o Responding to the Cyber Threat Environment
§ Requires an assessment of the current and emerging offensive cyber posture of adversaries of the United States and the plans of the military services for offensive cyber operations during potential conflict.
§ Requires an assessment of the policy, capacity, and capabilities of DOD to defend the United States from ransomware attacks.
§ Requires the Secretary of Defense to develop a pilot program to assess the feasibility and advisability of entering into voluntary public-private partnerships with Internet ecosystem companies to discover and disrupt the use of their platforms, systems, services, and infrastructure by malicious cyber actors.
§ Directs DOD to conduct an assessment of the need to establish a cyberspace foundational and science and technical intelligence center; focus on wargaming activities and capabilities; and enhance operation models and simulations.
§ Requires the Secretary of Defense to submit a report on the plans for the Cyber Maturity Model Certification Program.
§ Strengthens the university cyber consortium of academic institutions that have been designed as Cyber Centers of Academic Excellence for cyber operations, cyber research, and cyber defense.
§ Directs the establishment of a working group to review and propose updates to DOD and component acquisition policy and guidance on cybersecurity requirements for systems and weapon acquisitions and report on specific proposals for updating policy and guidance.
§ Directs the Comptroller General to assess DOD’s efforts to address information and communications technology supply chain risks.
§ Requires a report on ways the DOD can improve support to the Cybersecurity and Infrastructure Security Agency to increase awareness of threats and vulnerabilities.
§ The House Energy and Commerce Committee marked up a number of bills, including the following as described in a committee briefing memorandum:
o H.R. 4026, the “Social Determinants of Health Data Analysis Act of 2021”, introduced by Reps. Burgess (R-TX) and Blunt Rochester (D-DE), requires the Comptroller General of the United States to submit to Congress within two years of enactment a report on the actions taken by the Secretary of Health and Human Services (HHS) to address social determinants of health. The report shall include: an analysis of how data collection undertaken by HHS complies with Federal and state privacy laws and regulations, a description of any coordination by HHS with other relevant Federal, State, and local agencies, an identification of any potential for duplication or any barriers, and recommendations on how to foster public-private partnerships and leverage the private sector to address social determinants of health.
o H.R. 2685, the “Understanding Cybersecurity of Mobile Networks Act”, introduced by Reps. Eshoo and Kinzinger (R-IL), would require the National Telecommunications and Information Administration (NTIA) to examine and report on the cybersecurity of mobile service networks and the vulnerability of these networks and mobile devices to cyberattacks and surveillance conducted by adversaries. The report must include an assessment of the degree to which providers of mobile service have addressed certain cybersecurity vulnerabilities; a discussion of the degree to which these providers have implemented cybersecurity best practices and risk assessment frameworks; and an estimate of the prevalence and efficacy of encryption and authentication algorithms and techniques used in mobile service and communications equipment, mobile devices, and mobile operating systems and software, among other things.
o H.R. 3919, the “Secure Equipment Act of 2021”, introduced by Reps. Scalise (R-LA) and Eshoo, would direct the Federal Communications Commission (FCC) to clarify that it will no longer review or approve applications from companies on the Commission’s “Covered List.” The bill would prevent further integration and sales of Huawei, ZTE, Hytera, Hikvision, and Dahua – all Chinese state-backed or directed firms – in the United States regardless of whether federal funds are involved. An AINS is expected to be offered to clarify that the rules required by the legislation should not apply retroactively to equipment previously authorized by the FCC, and that the legislation does not prevent the FCC from studying whether, in a future proceeding, the rules should apply retroactively.
o H.R. 4028, the Information and Communication Technology Strategy Act”, introduced by Reps. Long (R-MO), Spanberger (D-VA), Carter (R-GA), and McNerney (D-CA), would
direct the Secretary of Commerce to submit to Congress within one year a report analyzing the state of economic competitiveness of trusted vendors in the information and communication technology supply chain, identifying which components or technologies are critical or vulnerable, and identifying which components or technologie son which U.S. networks depend. It would also require the Secretary to submit to Congress, within six months after the report is submitted, a whole-of-government strategy to ensure the competitiveness of trusted vendors in the United States.o H.R. 4032, the “Open RAN Outreach Act”, introduced by Reps. Allred (D-TX), O’Halleran (D-AZ), Guthrie, and Hudson, directs the NTIA Administrator to provide outreach and technical assistance to small communications network providers regarding Open Radio Access Networks (Open-RAN). An AINS is expected to be offered to clarify that the outreach and technical assistance should address the uses, benefits, and shortcoming of Open RAN; that the technical assistance may be related to participation in the grant program authorized in the FY 2021 National Defense Authorization Act; and that NTIA may use such grant funds to carry out the legislation.
o H.R. 4045, the “FUTURE Networks Act”, introduced by Reps. Doyle (D-PA), Johnson (R-OH), and McBath (D-GA), would require the FCC to create a 6G (sixth-generation) Task Force. The bill stipulates that the membership of the Task Force shall be appointed by the FCC Chair, and that the Task Force membership be composed, if possible, of representatives from trusted companies (meaning those not controlled by foreign adversaries), trusted public interest groups, and trusted government representatives with at least one representative from federal, state, local, and tribal governments. The Task Force would have to submit a report to Congress on 6G wireless technology, including the possible uses, strengths, and limitations of 6G, (including any supply chain, cybersecurity, or other limitations that will need to be addressed in future generations of wireless technologies.
o H.R. 4046, the “NTIA Policy and Cybersecurity Coordination Act”, introduced by Reps. Duncan (R-SC), Wild (D-PA) and Curtis, would authorize the existing NTIA Office of Policy Analysis and Development and rename it the Office of Policy Development and Cybersecurity. In addition to codifying the responsibilities of NTIA in administering the information sharing program in Section 8 of the Secure and Trusted Communications Act, the Office would be assigned functions to coordinate and develop policy regarding the cybersecurity of communications networks.
o H.R. 4055, the “American Cybersecurity Literacy Act”, introduced by Reps. Kinzinger, Eshoo, Veasey (D-TX), Houlahan (D-PA), and Bilirakis, would require NTIA to develop and conduct a cybersecurity literacy campaign to educate U.S. individuals and businesses about common cybersecurity risks and best practices. An AINS is expected to be offered to make technical changes to the bill.
o H.R. 4067, the “Communications Security Advisory Act of 2021”, introduced by Reps. Slotkin (D-MI), Schrader (D-OR) and Walberg (R-MI), would codify an existing FCC advisory council, the Communications Security, Reliability, and Interoperability Council, focused on network security, resiliency, and interoperability. It also requires biennial reporting to the FCC, Congress, and public with recommendations to improve communications networks on such issues.
§ The Australian Competition & Consumer Commission (ACCC) announced that it “is examining competition and consumer concerns with general online retail marketplaces such as eBay Australia, Amazon Australia, Kogan and Catch.com.au as part of its inquiry into digital platform services in Australia.” This inquiry is part of the ACCC’s “ five-year inquiry into markets for the supply of digital platform services in Australia and their impacts on competition and consumers, following a direction from the Treasurer.” The ACCC explained:
o The ACCC is keen to receive submissions from consumers, platforms and third-party sellers, from small businesses to major brands, to inform its inquiry, and has released an issues paper today. Consumers and small business sellers are also invited to share their experiences with marketplaces by completing short online surveys.
o General online retail marketplaces allow sellers to list a range of products which can be searched for, found and purchased by consumers. These marketplaces compete against each other, as well as against so-called bricks and mortar businesses, to attract both buyers and sellers.
o The ACCC will examine the marketplaces and their relationships with third-party sellers and consumers, as well as how these marketplaces affect competition in Australian markets.
o The ACCC will consider pricing practices, the use of data, the terms and conditions imposed on third-party sellers, and the impacts on competition when the marketplace itself operates as a seller on the platform.
o Key consumer issues to be considered include the ability of customers to leave and read reviews of sellers and products, how complaints are handled and how consumers’ data is collected and used.
o The issues paper also looks at the services offered by the marketplaces, the market structures and the way the markets work.
§ Texas Attorney General Ken Paxton and the Knight First Amendment Institute and the American Civil Liberties Union (ACLU) of Texas reached a settlement over the latter two’s suit against Paxton for blocking users from his personal Twitter account. The First Amendment Institute stated in its press release:
o Texas Attorney General Ken Paxton has unblocked all critics from his @KenPaxtonTX Twitter account and has agreed not to block people based on viewpoint in the future. Paxton’s agreement, memorialized in a joint stipulation filed late Friday in federal court in Austin, brings to a close a lawsuit challenging Paxton’s actions under the First Amendment.
o The case was filed in April 2021 by the Knight First Amendment Institute at Columbia University and the American Civil Liberties Union of Texas on behalf of nine individual plaintiffs and the Knight Institute. Paxton had blocked the individual plaintiffs from his @KenPaxtonTX account after they criticized him or his policies in their own tweets.
§ The United Kingdom’s (UK) Financial Conduct Authority (FCA) issued its Annual Report and Accounts and its Business Plan, and in the latter, the FCA asserted:
o Digital competition
o We will continue to assess the impact that digitalisation can have on competition to help ensure that digital financial services markets:
§ deliver greater value for consumers by fostering effective competition while providing appropriate protection
§ provide consumers with a choice of quality products that meet their needs at a competitive price
o We will collaborate with external parties, including the Government, the Digital Markets Unit and through our Digital Regulation Cooperation Forum membership.
§ The Senate Homeland Security and Governmental Affairs Committee marked up and reported out a number of technology bills, including:
o S. 1917, K-12 Cybersecurity Act of 2021;
o S. 2201, Supply Chain Security Training Act of 2021;
o S. 1324, Civilian Cyber Security Reserve Act;
o In a press release, Chair Gary Peters (D-MI) summarized two of the bills:
§ The K-12 Cybersecurity Act directs the Cybersecurity and Infrastructure Security Agency (CISA) to work with teachers, school administrators, other federal departments and private sector organizations to complete a study of cybersecurity risks specific to K-12 educational institutions, including risks related to securing sensitive student and employee records and challenges related to remote-learning. Following the completion of that study, the bill directs CISA to develop cybersecurity recommendations and an online toolkit to help schools improve their cybersecurity hygiene. Schools are responsible for securing a considerable amount of sensitive records related to their students and employees, including student grades, family records, medical histories, and employment information. In 2020, K-12 public schools saw a record-breaking number of cyber-attacks with more than 400 publicly-reported incidents.
§ The Supply Chain Security Training Act directs the General Services Administration in coordination with the Department of Homeland Security, Department of Defense and the Office of Management and Budget to create a standardized training program to help federal employees responsible for purchasing services and equipment identify whether those products could compromise the federal government’s information security. Recent breaches of federal information systems exploited vulnerabilities in the SolarWinds and Microsoft Exchange networks, highlighting the need for robust technological supply chain security and the importance of ensuring agency personnel responsible for managing these resources are well versed and up-to-date on cybersecurity threats and other attempts to steal sensitive or valuable information.
o Senator Jacky Rosen (D-NV) summarized her bill, the “Civilian Cyber Security Reserve Act” (S.1324):
§ According to the Government Accountability Office, the consistent shortage of cyber security personnel represents a high risk to national security. To address this shortage, the bipartisan Civilian Cyber Security Reserve Act establishes a civilian cyber security reserve pilot program, which authorizes cybersecurity reservists to provide surge capacity in response to significant incidents. Activated personnel would serve in temporary positions, for up to six months, as Federal civil service employees to supplement existing cybersecurity personnel. Participation would be voluntary and by invitation only. The legislation is modeled after recommendations from the National Commission on Military, National, and Public Service and Cyberspace Solarium Commission reports to establish a cyber security reserve corps.
§ The Texas Supreme Court allowed suits to advance against Facebook brought by three people who say they were victims of sex trafficking. The court agreed with Facebook that 47 USC 230 blocked most of the grounds the plaintiffs sued to sue the company but allowed their suits to continue on the basis of the carveout to Section 230 enacted in 2018 in the “Allow States and Victims to Fight Online Sex Trafficking Act” (P.L. 115-164). The court explained:
o Facebook seeks writs of mandamus directing the dismissal of three lawsuits pending
against it in district court. The plaintiffs in all three cases allege they were victims of sex
trafficking who became entangled with their abusers through Facebook. They assert claims for negligence, negligent undertaking, gross negligence, and products liability based on Facebook’s alleged failure to warn of, or take adequate measures to prevent, sex trafficking on its internet platforms. They also assert claims under a Texas statute creating a civil cause of action against those who intentionally or knowingly benefit from participation in a sex-trafficking venture.o In all three lawsuits, Facebook moved to dismiss all claims against it as barred by section
230 of the federal “Communications Decency Act” (“CDA”), which provides that “[n]o cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.” 47 U.S.C. § 230(e)(3). Facebook contends that all the plaintiffs’ claims are “inconsistent with” section 230(c)(1), which says that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”o For the reasons explained below, we deny mandamus relief in part and grant it in part. The plaintiffs’ statutory human-trafficking claims may proceed, but their common-law claims for negligence, gross negligence, negligent undertaking, and products liability must be dismissed.
§ The Cybersecurity and Infrastructure Security Agency (CISA) launched “its newest federal enterprise security initiative: mobile cybersecurity shared services that is piloting three capabilities to improve the security of government furnished equipment (GFE) mobile devices (e.g., smartphones and tablets) and applications.” CISA stated that “[t]he pilots will be managed by CISA’s Cybersecurity Quality Services Management Office (QSMO).” CISA provided more detail on the pilots:
o Vetting Mobile Application Security
o The first CISA mobile security pilot is a new mobile application vetting (MAV) service, which will evaluate the security of government-developed mobile applications (apps) and third-party apps used on GFE mobile devices. The service will identify app vulnerabilities, flaws, and possible risks—either accidental coding errors or intentionally placed malicious code—to mobile devices as well as app and enterprise security so that steps can be taken to fix discovered issues.
o Kryptowire, Inc. of Tysons Corner, VA, has been awarded phase III of a Small Business Innovation Research contract for the MAV service. They will develop a pilot capability, implementing the mobile app and firmware analysis MAV service with the goal of providing mobile app vetting and firmware vulnerability analysis as a scalable service to the Federal Civilian Executive Branch (FCEB). The test pilot will launch in fiscal year 2022 and consists of up to three early-adopter agencies.
o Verifying Mobile Device Security
o The second mobile security pilot is focused on mobile device security. The Traveler-Verified Information Protection (T-VIP) service is a device-integrity validation tool that detects software, firmware and hardware modifications to a smartphone between two points in time.
o Because government travelers need their GFE mobile devices to stay in contact with their offices while traveling to foreign countries, embassies, or external sites, they can be prime targets for compromise. These travelers cannot monitor what occurs “under the hood” of their mobile devices, so comparisons of pre-travel and post-travel scans by the T-VIP software—developed by Pacific Northwest National Laboratory—will identify suspicious changes on the devices made during their travel, thus increasing the security of sensitive government information. T-VIP is a government-off-the-shelf solution and is for official government use only. The service is being piloted for adoption as a full mobile cybersecurity shared offering to FCEB agencies.
o Mobile Network Security Service
o Finally, CISA, in cooperation with the Department of Homeland Security, Science and Technology (S&T) Directorate, is developing a pilot solution to deploy protective DNS services to mobile devices. As government agencies and their employees are increasingly relying on mobile devices with an exponential increase in use due to the extensive remote work posture adopted in the wake of the pandemic, a protective DNS solution for mobile traffic will align DNS protections with those provided to traditional enterprise systems.
o The research-and-development project is being led by Herndon, Va.-based GuidePoint Security
o , which is designing a solution that will route mobile DNS traffic to a protective DNS resolver managed by CISA. This mobile protective DNS capability is intended to integrate with CISA’s protective DNS shared service offering.
§ The United Kingdom’s (UK) Department for Digital, Culture, Media & Sport (DCMS) opened a consultation titled “Digital identity and attributes consultation” that “asks for views on how the digital identity system should operate, including proposals for a governing body which will be charged with making sure organisations follow government rules on digital identity.” DCMS stated:
o Online authentication, identity and eligibility solutions can increase security, ease of use and accessibility to public services. They are central to making public services more efficient and effective. They will also improve people’s ability to operate confidently in an increasingly digital economy.
o The government is committed to realising the benefits of digital identity, without creating ID cards. Earlier this year we published a draft of the UK digital identity and attributes trust framework. This set out what rules and standards are needed to protect people’s sensitive identity data when used digitally.
o More information can be found in this press release.
o This consultation now seeks views on three key issues:
§ the governance system to oversee digital identity and and make sure organisations comply with the rules
§ how to allow trusted organisations to make digital checks against authoritative government-held data
§ establishing the legal validity of digital identities, so people are confident they are as good as physical documents like passports or bank statements
Further Reading
Photo by Neil Soni on Unsplash
§ “The Nightmare of Our Snooping Phones” By Shira Ovide — The New York Times. “Data privacy” is one of those terms that feels stripped of all emotion. It’s like a flat soda. At least until America’s failures to build even basic data privacy protections carry flesh-and-blood repercussions. This week, a top official in the Roman Catholic Church’s American hierarchy resigned after a news site said that it had data from his cellphone that appeared to show the administrator using the L.G.B.T.Q. dating app Grindr and regularly going to gay bars. Journalists had access to data on the movements and digital trails of his mobile phone for parts of three years and were able to retrace where he went.
§ “U.S. Military Bought Cameras in Violation of America’s Own China Sanctions” By Sam Biddle — The Intercept. Numerous federal agencies, including several branches of the military, buy video surveillance equipment that can’t legally be used in U.S. government systems and that is made by Chinese companies sanctioned on national security grounds, records and products reviewed by The Intercept indicate. The agencies purchased blacklisted hardware through a network of American resellers that claimed the camera systems were in compliance with the sanctions. Those claims in numerous cases had little apparent basis, according a joint investigation with IPVM, a video surveillance industry research publication.
§ “Fraud on the Farm: How a baby-faced CEO turned a Farmville clone into a massive Ponzi scheme” By Paul Benjamin Osterlund — Rest of the World. On November 21, 2019, 25-year-old Recep Ataş stepped onto a shooting range in the Istanbul suburb of Başakşehir. He fired several rounds at the target, before suddenly aiming the weapon directly against his heart and pulling the trigger. The single shot killed him. The next day, Ataş’ father told local media that his son was depressed — a large bank loan loomed over him. The money Ataş had borrowed evaporated after he’d invested it in Farm Bank, a smartphone app similar to the once-popular Facebook game Farmville. But unlike Farmville, Farm Bank had a real-world twist.
§ “YouTube's recommendations still push harmful videos, crowdsourced study finds” By Brandy Zadrozny — NBC News. ouTube’s recommendation algorithm suggests videos with misinformation, violence, hate speech and other content that violates its own policies, researchers say. A new crowdsourced investigation from the Mozilla Foundation, the nonprofit behind the Firefox web browser, asked more than 37,000 YouTube users to act as watchdogs and report harmful content through a browser extension that was then analyzed by research assistants at the University of Exeter in England. That user-supplied content included Covid-19 misinformation, political conspiracy theories, and both violent and graphic content, including sexual content that appeared to be cartoons for children, the analysis found.
§ “How Vietnam's 'influencer' army wages information warfare on Facebook” By James Pearson — Reuters. In Vietnam, where the state is fighting a fierce online battle against political dissent, social media "influencers" are more likely to be soldiers than celebrities.
§ “‘Cyber-attack’ hits Iran’s transport ministry and railways” — The Guardian. Websites of Iran’s transport and urbanisation ministry went out of service on Saturday after a “cyber-disruption” in computer systems, the official IRNA news agency reported. On Friday, Iran’s railways also appeared to come under cyber-attack, with messages about alleged train delays or cancellations posted on display boards at stations across the country. Electronic tracking of trains across Iran reportedly failed.
§ “China Plans Security Checks for Tech Companies Listing Overseas” By Raymond Zhong — The New York Times. China moved on Saturday toward requiring domestic tech companies to submit to a cybersecurity checkup before they can go public on overseas stock exchanges, a step that would close the regulatory gap that allowed the ride-hailing giant Didi to list shares on Wall Street last week without getting a clean bill of digital health from Beijing. On July 2, two days after Didi’s shares began trading on the New York Stock Exchange, China’s internet regulator ordered the company to stop signing up users while officials conducted a security review, sending its share price tumbling.
§ “China drafts new cyber-security industry plan” — Reuters. China's Ministry of Industry and Information Technology said on Monday it has issued a draft three-year action plan to develop the country's cyber-security industry, estimating the sector may be worth more than 250 billion yuan ($38.6 billion) by 2023.
§ “UK’s trade chief Liz Truss seeks closer ties with tech firms in US visit” By Graham Lanktree — Politico. Britain's Trade Secretary Liz Truss is headed to the United States for a five-day visit where she'll try to forge new ties with the country's tech giants. Truss' trip, running Sunday through Thursday, will see her stop in San Francisco, where she is slated to meet Silicon Valley companies as well as representatives of California Governor Gavin Newsom.
§ “Twitter appoints resident grievance officer in India to comply with new internet rules” By Manish Singh — Tech Crunch. Twitter has appointed a resident grievance officer in India days after the American social media firm said to have lost the liability protection on user-generated content in the South Asian nation over non-compliance with local IT rules. On Sunday, Twitter identified Vinay Prakash as its new resident grievance officer and shared a way to contact him as required by India’s new IT rules, which was unveiled in February this year and went into effect in late May. Twitter has also published a compliance report, another requirement listed in the new rules.
§ “The US needs a 'Digital Marshall Plan' to counter China's Digital Silk Road” By Orit Frenkel, Kent Hughes and Jennifer A. Hillman — The Hill. The United States is poised to launch a much-needed initiative to advance American global competitiveness. Done right, such an initiative could usher in a U.S. era of strong, inclusive and sustainable economic growth, along with reinvigorated global leadership. Both Congress and the Biden administration are contemplating major initiatives. They should take bold action, lest they squander this moment.
§ “The Most Influential Spreader of Coronavirus Misinformation Online” By Sheera Frenkel — The New York Times. The article that appeared online on Feb. 9 began with a seemingly innocuous question about the legal definition of vaccines. Then over its next 3,400 words, it declared coronavirus vaccines were “a medical fraud” and said the injections did not prevent infections, provide immunity or stop transmission of the disease. Instead, the article claimed, the shots “alter your genetic coding, turning you into a viral protein factory that has no off-switch.”
Coming Events
Photo by Spenser Sembrat on Unsplash
§ 27 July
o The Federal Trade Commission (FTC) will hold PrivacyCon 2021. The FTC has announced this agenda:
§ Introduction: Jamie Hine, Senior Attorney, Federal Trade Commission, Division of Privacy & Identity Protection
§ Welcome to PrivacyCon: Rebecca Kelly Slaughter, Commissioner, Federal Trade Commission
§ Opening Remarks: Erie Meyer, Chief Technologist, Federal Trade Commission
§ Panel 1: Algorithms
· Basileal Imana, University of Southern California, Auditing for Discrimination in Algorithms Delivering Job Ads
· Hongyan Chang, National University of Singapore, On the Privacy Risks of Algorithm Fairness
· Martin Strobel, National University of Singapore, On the Privacy Risks of Model Explanations
· Moderator: Devin Willis, Attorney, Federal Trade Commission, Division of Privacy & Identity Protection
§ Algorithms Presentation
· Ziad Obermeyer, University of California at Berkeley, Algorithmic Bias Playbook Presentation
· Moderator: Lerone Banks, Technologist, Federal Trade Commission, Division of Privacy & Identity Protection
§ Panel 2: Privacy – Considerations and Understanding
· Nico Ebert, Zurich University of Applied Sciences, Bolder is Better: Raising User Awareness Through Salient and Concise Privacy Notices
· Siddhant Arora, Carnegie Mellon University, Finding a Choice in a Haystack: Automatic Extraction of Opt-Out Statements from Privacy Policy Text
· Cameron Kormylo, Virginia Tech, Reconsidering Privacy Choices: The Impact of Defaults, Reversibility, and Repetition
· Peter Mayer, Karlsruhe Institute of Technology, Now I’m a bit angry – Individuals’ Awareness, Perception, and Responses to Data Breaches that Affected Them
· Moderator: Danielle Estrada, Attorney, Federal Trade Commission, Division of Privacy & Identity Protection
§ Panel 3: AdTech
· Imane Fouad, Inria (France), Missed by Filter Lists: Detecting Unknown Third-Party Trackers with Invisible Pixels
· Janus Varmarken, University of California Irvine, The TV is Smart and Full of Trackers: Measuring Smart TV Advertising and Tracking
· Miranda Wei, University of Washington, What Twitter Knows: Characterizing Ad Targeting Practices, User Perceptions, and Ad Explanations Through Users’ Own Twitter Data
· Moderator: Miles Plant, Attorney, Federal Trade Commission, Division of Privacy & Identity Protection
§ Panel 4: IoT
· AnupamDas, North Carolina State University, Hey Alexa, is this Skill Safe: Taking a Closer Look at the Alexa Skill Ecosystem
· Jeffrey Young, Clemson University, Measuring the Policy Compliance of Voice Assistant Applications
· Pardis Emami-Naeni, University of Washington, Which Privacy and Security Attributes Most Impact Consumers’ Risk Perception and Willingness to Purchase IoT Devices?
· Genevieve Liberte, Florida International University, Real-time Analysis of Privacy (un)Aware IoT Applications
· Moderator: Linda Holleran Kopp, Attorney, Federal Trade Commission, Division of Privacy & Identity Protection
§ Panel 5: Privacy – Children and Teens
· Mohammad Mannan, Concordia University (Canada), Betrayed by the Guardian - Security and Privacy Risks of Parental Control Solutions and Parental Controls: Safer Internet Solutions or New Pitfalls?
· Cameryn Gonnella, BBB National Programs, Risky Business - The Current State of Teen Privacy in the Android App Marketplace
· Moderator: Manmeet Dhindsa, Attorney, Federal Trade Commission, Division of Privacy & Identity Protection
§ Panel 6: Privacy and the Pandemic
· Marzieh Bitaab, Arizona State University, Scam Pandemic: How Attackers Exploit Public Fear through Phishing
· Christine Geeng, University of Washington, Social Media COVID-19 Misinformation Interventions Viewed Positively, But Have Limited Impact
· Moderator: Christina Yeung, Technologist, Federal Trade Commission, Office of Technology Research and Investigation
§ Closing Remarks
· Lerone Banks, Technologist, Federal Trade Commission, Division of Privacy & Identity Protection
o The House Oversight and Reform Committee’s National Security Subcommittee will hold a hearing titled “Defending the U.S. Electric Grid Against Cyber Threats.”
o The Senate Banking, Housing, and Urban Affairs Committee will hold a hearing titled “Cryptocurrencies: What are they good for?”
o The Senate Homeland Security and Governmental Affairs Committee will hold a hearing titled “Resources and Authorities Needed to Protect and Secure the Homeland” with Secretary of Homeland Security Alejandro Mayorkas.
o The Senate Judiciary Committee will hold a hearing titled “America Under Cyber Siege: Preventing and Responding to Ransomware Attacks.”
o The Senate Commerce, Science, and Transportation Committee will hold a hearing titled “Pipeline Cybersecurity: Protecting Critical Infrastructure.”
§ 28 July
o The House Energy and Commerce Committee’s Consumer Protection and Commerce Subcommittee will hold a hearing titled “Transforming the FTC: Legislation to Modernize Consumer Protection” with the five FTC Commissioners.
o The House Oversight and Reform Committee’s Government Operations Subcommittee will hold a hearing titled “FITARA 12.0” to review the federal government’s Federal Information Technology Acquisition Reform Act (FITARA) compliance.
o The House Administration Committee will hold a hearing titled “Election Subversion: A Growing Threat to Electoral Integrity.”
o The House Armed Services Committee’s Cyber, Innovative Technologies, and Information Systems Subcommittee will mark up its portion of the committee’s FY 2022 National Defense Authorization Act (H.R.4395).
§ 5 August
o The Federal Communications Commission (FCC) will hold its monthly open meeting with this tentative agenda:
§ Establishing Two New Innovation Zones. The Commission will consider a Public Notice that would create two new Innovation Zones for Program Experimental Licenses and the expansion of an existing Innovation Zone. (ET Docket No. 19-257)
§ Numbering Policies for Modern Communications. The Commission will consider a Further Notice of Proposed Rulemaking to update the Commission’s rules regarding direct access to numbers by interconnected Voice over Internet Protocol providers to safeguard the nation’s finite numbering resources, curb illegal robocalls, protect national security, and further promote public safety. (WC Docket Nos. 13-97, 07-243, 20-67; IB Docket No. 16-155)
§ Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions. The Commission will consider a Report and Order that would establish a process for the Commission to review decisions of the private STIR/SHAKEN Governance Authority that would have the effect of placing voice service providers out of compliance with the Commission’s STIR/SHAKEN implementation rules. (WC Docket Nos. 17-97, 21-291)
§ Modernizing Telecommunications Relay Service (TRS) Compensation. The Commission will consider a Notice of Proposed Rulemaking on TRS Fund compensation methodology for IP Relay service. (CG Docket No. 03-123; RM-11820)
§ Updating Outmoded Political Programming and Record-Keeping Rules. The Commission will consider a Notice of Proposed Rulemaking to update outmoded political programming rules. (MB Docket No. 21-293)
§ Review of the Commission’s Part 95 Personal Radio Services Rules. The Commission will consider a Memorandum Opinion and Order on Reconsideration that would grant three petitions for reconsideration of the Commission’s May 2017 Part 95 Personal Radio Services Rules Report and Order. (WT Docket No. 10-119)
§ 1 September
o The House Armed Services Committee will mark up the FY 2022 National Defense Authorization Act (H.R.4395).